When can an employer be held liable for the actions of its staff?

Most employers will be aware that they can be held liable for an employee's actions in the course of their employment. This principle has previously been used by victims to bring claims against organisations for historic sexual abuse and by employees to bring harassment claims for actions at the office Christmas party.

In the recent decision of WM Morrison Supermarkets Plc v Various Claimants, the Supreme Court considered whether the supermarket could be held liable for a data breach by a disgruntled employee. The facts in this particular case were extreme but the decision has clarified the limits of vicarious liability which can be used to shape employers' practices.

Andrew Skelton was employed as a senior auditor at Morrisons and had been given access to payroll data in the course of his duties, which he had copied over to a personal USB stick. Outside of work time and on his personal mobile phone, he then uploaded this data to a publicly accessible file-sharing website and posted links to the data on other websites. He also posted CDs containing the data to a number of newspapers, who alerted Morrisons. Morrisons took prompt action to remove the data from the internet within a few hours and informed the police. Mr Skelton was charged and sentenced to 8 years' imprisonment for the misuse of the data and the claimants, who were employees or former employees of Morrisons, brought proceedings against the supermarket.

The High Court held that Morrisons was vicariously liable for Mr Skelton's breach and the Court of Appeal dismissed Morrisons' appeal against the decision. Both courts commented that Morrsions policies and procedures to protect against a data breach were for the most part sufficient, but that they should have removed Mr Skelton's access to the payroll data once he had completed the task. Morrisons appealed to the Supreme Court.

The Supreme Court allowed the appeal, deciding that Morrisons was not vicariously liable for Mr Skelton's actions. They reiterated the general principle of vicarious liability that the wrongful conduct has to be so closely connected so as to be carried out in the course of employment. In this case, disclosing the data on the internet was not part of Mr Skelton's role and the reason why he committed the breach was highly relevant; the question was whether he was acting for his employer's business or for purely personal reasons.

In summary, the Court concluded that Mr Skelton's employment gave him the opportunity to commit the act but this was not enough to impose vicarious liability on Morrisons. Mr Skelton had been pursuing a personal vendetta rather than working in the interests of Morrisons business so his actions could not be said to be closely connected to his employment.

So, what can an employer do to reduce the risk of being held liable for its employees' actions?

• Implement, audit and enforce policies. Having a policy is only the first step to avoiding liability. Employers should robustly audit procedures (for example, to ensure data protection security measures are being adhered to or that recruitment practices are being followed) to confirm they're being implemented across the organisation and make improvements where necessary.
• Reviewing IT practices. One of the points that was considered relevant in this case was that Mr Skelton used his personal device to upload the information to the internet when he was only permitted to use company equipment in the course of his duties. Employers should review their policies in relation to using personal devices and implement security measures on highly sensitive data to prevent it being copied or shared where possible.
• Train employees on important obligations such as equality/discrimination laws and data protection. In some cases, an employer can avoid being liable for an employee's actions where they can show they have taken 'all reasonable steps' to prevent it.
• Ensure that contractors, consultants and other third parties are subject to policies and procedures where appropriate. In the judgement, the Supreme Court confirmed that it was possible for an employer to be liable for the actions of someone who was not an employee where the relationship was 'sufficiently akin' to employment. Employers should therefore make relevant policies applicable to these staff.

If you would like more information please contact our Employment Team or your usual Wilsons contact.